Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Fri, 23 Jun 2017 05:45:08 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/
-----------------------------------------------------------

(Updated June 23, 2017, 12:44 p.m.)


Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan Neethiraj, 
Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.


Changes
-------

Patch for branch-2.5 is attached to Apache JIRA


Bugs: AMBARI-21154
    https://issues.apache.org/jira/browse/AMBARI-21154


Repository: ambari


Description (updated)
-------

In a kerberized environment, Atlas hook uses JAAS configuration section named 
"KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
this configuration section is set to use the keytab and principal of 
HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should 
use the ticket-cache generated by kinit. When ticket cache is not available 
(for example in HiveServer2), the hook should use the configuration provided in 
KafkaClient JAAS section

As a solution need to add below in hive atlas-application.properties by default 
if atlas-hive hook is enabled in secure mode

atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true

The attached patch is for trunk branch, patch for branch-2.5 is attached to 
Apache Jira


Diffs
-----

  
ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
 6d3e13d 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
a29f74b 
  
ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
 8c659ee 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
3054ca3 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
f8bbca5 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
1cbd78b 
  
ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
 ede267a 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
b70943b 
  ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py d4d28c9 


Diff: https://reviews.apache.org/r/59701/diff/2/


Testing
-------

Verified fresh install and upgrade on Cent-OS-6.


Thanks,

Vishal Suvagia

Reply via email to